Cash Value of Android Zero-Day Exploits Surpasses iOS

Cash Value of Android Zero-Day Exploits Surpasses iOS

Apple has long positioned itself as the more secure option to open platforms like Windows and Android, but that might no longer be the case. As previously unreported “zero-day” iOS exploits pile up, security researchers are seeing the cash value of such research fall. Zerodium, the largest purchaser of such flaws, has updated its bug bounty payments. Android exploits now command a maximum of $2.5 million, but iOS tops out at $2 million.

Last month, we reported on a series of iOS exploits uncovered by Google’s Project Zero. Google isn’t in the business of selling exploits, so it researched the scheme and reported it to Apple in a responsible manner. Google detected websites using multiple attack chains to steal data from almost all versions of iOS, and they were operating for at least two years.

Apple rolled out an update to iDevices that blocked those exploits, but you have to wonder how many more unreported attacks are floating around out there. The perpetrators of this hack weren’t even treating the exploits like a valuable commodity. They were hacking iPhone users indiscriminately when they could have been using targeted attacks against high-value targets. They might never have been caught going that route.

Apple talks up iPhone security, but Zerodium says it’s falling behind.
Apple talks up iPhone security, but Zerodium says it’s falling behind.

Zerodium buys exploits for big money so it can exclusively report the research and mitigation measures to its corporate and government clients. Zerodium founder and CEO Chaouki Bekrar says that the company still gets ample submissions for iOS exploits, mostly connected to Safari and iMessage. There are so many that the company has started turning down some offers from researchers. On the other hand, functional zero-click or one-click exploits for Android are increasingly rare, especially for versions 8.0 and later.

Given the state of the major operating systems, Zerodium decided it makes sense to assign a higher value to Android exploits. Zerodium doesn’t pay $2.5 million for just any Android hack, though. Researchers have to submit basic details of the hack first, and then wait on an offer from Zerodium. The $2.5 million top offer only applies to serious flaws in Android 8, 9, or 10. Apple’s lower $2 million maximum bounty is still nothing to sneeze at — serious exploits for desktop systems top out at $1 million. Since mobile platforms were built more recently, they have more security features integrated at a low level. That makes them harder to hack than desktop operating systems.

Continue reading

Android 12 Could Include Major App Compatibility Improvements
Android 12 Could Include Major App Compatibility Improvements

Google has attempted to centralize chunks of Android over the years, and a major component called ART is set to get this treatment in Android 12. The result could be vastly improved app compatibility, which is sure to make everyone happy.

Qualcomm’s New Snapdragon 888 Will Power Flagship Android Phones in 2021
Qualcomm’s New Snapdragon 888 Will Power Flagship Android Phones in 2021

The 888 comes with a new CPU design, integrated 5G, and a massive GPU boost. It's shaping up to be the most significant update to Qualcomm's flagship system-on-a-chip (SoC) in years.

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

It Turns Out Huawei’s HarmonyOS Is Still Just Android
It Turns Out Huawei’s HarmonyOS Is Still Just Android

Following the Commerce Department's actions against the Chinese megafirm, Huawei has been unable to use Google services on its new phones. The company's solution was to develop HarmonyOS, but now that we've gotten our first real look at it, one thing is clear: this is just Android with a skin.